- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- create an ACL to deny access to a VLAN-Member-IP
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2015 03:32 AM
04-16-2015 03:32 AM
Hello,
I'm searching for a Method to deny any access to a VLAN-Member-IP (a Server in VLAN3) form all VLANs, except two IPs from VLAN4. The Server and the two Clients must have access to all VLANs.
My Network looks like that:
I have a Core-Switch HP 5412zl an two Switches HP 4204vl.
5412zl is default Gateway for all VLANs.
Each VLAN has an IP-Address on the 5412zl.
The 4204vls also handle all VLANs.
config 5412zl:
ip routing
vlan 1
name "Default_VLAN"
untagged A1-A3
ip address dhcp-bootp
no untagged A4-A24
vlan 2
name "VLAN2"
untagged A4-A6
ip helper-address 192.168.3.32
ip adress 192.168.2.250 255.255.255.0
tagged A1-A3
vlan 3
name "VLAN3"
untagged A7-A9
ip helper adress 192.168.3.32
ip address 192.168.3.250 255.255.255.0
tagged A1-A3
vlan 4
name "VLAN4"
untagged A10-A12
ip helper address 192.168.3.32
ip address 192.168.4.250 255.255.255.0
tagged A1-A3
vlan 5
name "VLAN5"
untagged A13-A24
ip helper address 192.168.3.32
ip address 192.168.5.250 255.255.255.0
tagged A1-A3
config 4204vl_1:
ip routing
vlan 1
name "Default_VLAN"
untagged A1
ip address dhcp-bootp
no untagged A2-A24
vlan 2
name "VLAN2"
untagged A2-A6
ip adress 192.168.2.254 255.255.255.0
tagged A1
vlan 3
name "VLAN3"
untagged A7-A9
ip address 192.168.3.254 255.255.255.0
tagged A1
vlan 4
name "VLAN4"
untagged A10-A12
ip address 192.168.4.254 255.255.255.0
tagged A1
vlan 5
name "VLAN5"
untagged A13-A24
ip address 192.168.5.254 255.255.255.0
tagged A1
config 4204vl_2:
ip routing
vlan 1
name "Default_VLAN"
untagged A1
ip address dhcp-bootp
no untagged A2-A24
vlan 2
name "VLAN2"
untagged A2-A6
ip adress 192.168.2.253 255.255.255.0
tagged A1
vlan 3
name "VLAN3"
untagged A7-A9
ip address 192.168.3.253 255.255.255.0
tagged A1
vlan 4
name "VLAN4"
untagged A10-A12
ip address 192.168.4.253 255.255.255.0
tagged A1
vlan 5
name "VLAN5"
untagged A13-A24
ip address 192.168.5.253 255.255.255.0
tagged A1
Now I need to know how i have to create a ACL that denies access for all VLANs on all Switches to one IP Address in VLAN 3.
Only two Clients with fixed IP Addresses from VLAN 4 should access the Server in VLAN 3.
On the other hand, the two clients and the server need to communicate with all other VLANs.
Could anyone tell me, hwo to create the ACL and hwo i implement it?
Thanks for help.
Solved! Go to Solution.
- Tags:
- ACLs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2015 09:52 AM
04-16-2015 09:52 AM
Re: create an ACL to deny access to a VLAN-Member-IP
There are three ways to implement ACLs on the 5400: Port based, VLAN based, and Router based.
Port based is only availble inbound today so probably not the best idea unless you are ok with blocking return traffic instead of initiating traffic. It would look like this:
ip access-list extended "test1"
10 permit ip <Server IP> 0.0.0.0 <Host 1 IP> 0.0.0.0
20 permit ip <Server IP> 0.0.0.0 <Host 2 IP> 0.0.0.0
30 deny ip <Server IP> 0.0.0.0 0.0.0.0 255.255.255.255
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
interface <Server Port>
ip access-group "test1" in
exit
This would block the server from talking to anything except the two Hosts.
The second option is a Routed ACL. It would look like this:
ip access-list extended "test2"
10 permit ip <Host 1 IP> 0.0.0.0 <Server IP> 0.0.0.0
20 permit ip <Host 2 IP> 0.0.0.0 <Server IP> 0.0.0.0
30 deny ip 0.0.0.0 255.255.255.255 <Server IP> 0.0.0.0
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
vlan 3
ip access-group "test2" out
exit
This would block all communications with the server from anything outside of VLAN 3 except the two hosts.
If you also want to block other devices on VLAN 3 from communicating with the server, then you would also need a VLAN ACL. It would use the "test2" access list but would be applied at the vlan level. The config would look like this:
vlan 3
ip access-group "test2" out
ip access-group "test2" vlan
exit
I would also recommend disabling routing on the 4200's. Otherwise they could route around these ACLs.
For more details, I would highly recommend looking at the manuals, specifically the ACL chapter of the Access Security Guide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2015 03:13 AM
04-17-2015 03:13 AM
Re: create an ACL to deny access to a VLAN-Member-IP
Thanks for the quick answer!
I would test it and hope to be fine with it.
I will mark the post as closed when i tested the solution successfully :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2015 05:58 AM - edited 04-17-2015 05:59 AM
04-17-2015 05:58 AM - edited 04-17-2015 05:59 AM
Re: create an ACL to deny access to a VLAN-Member-IP
The ACL works fine :)
Now i have an other question :(
I have a Firewall with IP Address 192.168.5.1 (VLAN 5).
In VLAN 5 there is only the firewall (transfer-network)
how can i realise, the the server can communicate wit the internet (updates windows and other programs)?
thank you very much :)
ps: I used the ip access-list "test2" for out and vlan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2015 08:15 AM
04-17-2015 08:15 AM
SolutionNow we are starting to see the art in ACLs. I will assume that your internal network uses the 192.168.0.0/16 range (192.168.0.0 through 192.168.255.255). In this case, we need to deny access to everything internally and then permit everything else (the Internet). This is necessary because your server is not communicating with the firewall but routing through it.
Your new list should look like this for example:
ip access-list extended "test2"
10 permit ip <Host 1 IP> 0.0.0.0 <Server IP> 0.0.0.0
20 permit ip <Host 2 IP> 0.0.0.0 <Server IP> 0.0.0.0
30 deny ip 192.168.0.0 0.0.255.255 <Server IP> 0.0.0.0
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
If you also use the 10.0.0.0/8 network internally, your new list would look like this for example:
ip access-list extended "test2"
10 permit ip <Host 1 IP> 0.0.0.0 <Server IP> 0.0.0.0
20 permit ip <Host 2 IP> 0.0.0.0 <Server IP> 0.0.0.0
30 deny ip 192.168.0.0 0.0.255.255 <Server IP> 0.0.0.0
35 deny ip 10.0.0.0 0.255.255.255 <Server IP> 0.0.0.0
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Hope that helps,
Eric